Direct Access Management for Network Elements Solution Brief
By: Ali Gomulu
Today we introduced our newest solution brief relating to ‘Direct Access Management for Network Elements,’ which details accidental or intentional access attempts via users’ devices to remote network elements (switches, routers, etc.) directly, instead of through Ironsphere, and the preventative measures to negate these efforts. Privileged Access Management can be approached by using four distinctive methods:
- Changing the owner of the privileged credentials (from users to Ironsphere)
- Blocking direct access at the network level
- Detecting and responding to direct access attempts
- Deploying Access Control Agents on Hosts/Servers
This new solution brief details the 4th option – Deploying Access Control Agents on Hosts/Servers – specifically as it applies to network elements.
Although the challenge is similar to managing direct access to Linux/Windows servers, the solution requires different components for network elements. All network elements support TACACS+ protocol out-of-the-box, which handles remote authentication and related services for network access control through a centralized server. Network elements utilize this built-in “Access Control Agent” to detect and handle various user remote console access attempts. In response to any attempt to access/configure a network element, the Access Control Agent effectively evaluates whether the user is provided access or not, limiting the commands available through a centralized server. When a user attempts to log in or run commands, these access requests are forwarded to the Ironsphere central server to complete authentication/authorization based on the allowed/denied policy settings. This can be done with the Ironsphere server’s built-in TACACS and RADIUS Servers, enabling organizations to implement segregation of duties practices by eliminating unsupervised user access and centrally managing which users can access which servers.
The access permission and session privilege policies are managed and enforced by the central Ironsphere server (i.e., Policy Decision Server). From this, all session details, user activity, and access attempts are tracked, logged, and relayed to the central server, enabling greater visibility into user activity throughout network elements within the organization’s technology infrastructure.
This In-Session Privilege Management utilizes TACACS and RADIUS to handle remote authentication attempts and forward requests to the centralized Policy Decision Server, enabling the network elements to either allow or block the user from executing the command. Once the session between the user’s computer and the network element is established, the Ironsphere server tracks all user activity and handles the user’s privilege elevation requests. In response to user requests, the network element will acknowledge user privileges according to the Policy Decision Server; depending on the level of access available to the user, the network element will proceed to either allow or block the user from executing the specific command.
Our built-in TACACS+ server provides a variety of direct access capabilities that can be used to manage exceptional or edge use cases:
- Segregation of duties: central management of which users have direct access to which servers
- Single-Sign-On: enable users to log in to network elements with their personal accounts on Active Directory
- Multi-Factor Authentication: additional security layer to ensure the person accessing the network element is who they claim to be
- In-Session Least Privilege Management: central management of which users can or cannot execute which commands on remote network elements
- Role-based Privilege Management
- Unified Visibility and Audit Trails of all user activities during direct access sessions
Learn more about the details of our PAM solution, which is the fastest and easiest to deploy in the market due to its agentless man-in-the-middle architecture, by downloading our Direct Access Management for Network Elements solution brief here.
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.
Corporate information security governance is a foundation upon which organizations can build an increasingly significant part of their overall risk management platform. The foundation of a successful security governance program begins with strong upper-level management support, including the CEO, Chairman and Board Members.
Data Privacy Day is held on the 28th of January every year, and is designed to raise awareness among businesses, governments, and other organizations on not only the right to privacy, but the responsibility associated with protecting the data of customers, citizens and consumers.